IBM Support

PI84714: RACF SECURITY MESSAGE ICH408I FOLLOWED BY DFHCE3541 SECURITY INTERFACE ERROR (00000030). SIGN-ON IS TERMINATED.

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • You've installed maintenance to RSU/1701.  You start to receive
RACF message:
ICH408I USER(  ) GROUP(NOTERM  ) NAME(  )
  LOGON/JOB INITIATION - NOT AUTHORIZED TO TERMINAL CONSOLE1

DFHCE3541  APPLID Security interface error (00000030). Sign-on
is terminated.

You also see DFHSN1108  APPLID Signon at console CONSOLE1 by
user USERID has failed.

The trace shows:
XS FE04 XSSB  *EXC* FUNCTION(INQUIRE_PASSWORD_DATA)
RESPONSE(EXCEPTION) REASON(UNKNOWN_ESM_RESPONSE)
SAF_RESPONSE(8) SAF_REASON(0)
ESM_RESPONSE(30) ESM_REASON(0) PASSWORD_FAILURES(0)

The problem occurs after the installation of CICS APARs PI62428
and PI64443.

PI62428 added POE onto the RACROUTE REQUEST=VERIFYX call made
by  DFHXSSB to verify the password.  It did not add the SESSION
parameter to specify the type of the entry port.  The VERIFYX
call was only ever used when the IRRSPW00 call failed.  In this
case the pasword is valid so IRRSPW00 would work and the
VERIFYX call would never get issued. The subsequent VERIFY
ENVIR=CREATE passes both POE and SESSION and so
the signon would succeed.


PI64443 changed DFHXSSB to use the updated version of the
IRRSPW00 and to set the fast fail option.  This causes the
first IRRSPW00 call to fail immediately (because there isn't a
cache entry) and for CICS to use the VERIFYX call to perform
the valid signon.  This VERIFYX call fails because it passes
POE but does not pass SESSION and the supplied
port of entry is a console and not the default of a
TSO/terminal session.

Additional Symptom(s) Search Keyword(s): KIXREVSWM

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED: All.                                         *
****************************************************************
* PROBLEM DESCRIPTION: CICS signon error accompanied with      *
*                      messages DFHCE3541 and ICH408I.         *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
A user attempts to signon to CICS at a console.  This user only
has access via certain consoles and has no access to CICS from
a regular terminal.  After the fix for APAR PI52900 is applied,
the console signon will fail if the user currently has a
non-zero password failure count.
                                                               .
The failure occurs because PI52900 added the POE parameter to
the RACROUTE REQUEST=VERIFYX call made by DFHXSSB but did not
also add the SESSION parameter.  This causes the external
security manager to use the default SESSION value which is a
standard TSO terminal session.

    



Problem conclusion


    

  • UI33711 UI44249

CICS security code has been amended to pass a SESSION parameter
on the RACROUTE=VERIFYX call from within DFHXSSB.

    



Temporary fix


    

  • FIX AVAILABLE BY PTF ONLY

    



Comments


    

  • 



APAR Information




    

  • APAR number
    PI84714
    • 

  • Reported component name
    CICS TS Z/OS V4
    • 

  • Reported component ID
    5655S9700
    • 

  • Reported release
    700
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2017-07-19
    • 

  • Closed date
    2017-09-14
    • 

  • Last modified date
    2017-10-02
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    
PI82748
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UI50312
    

    • 



Modules/Macros


    

  • DFHUSAD  DFHXSPW  DFHXSPWT DFHXSSB  DFHXSSBT

    



Fix information


    

  • Fixed component name
    CICS TS Z/OS V4
    • 

  • Fixed component ID
    5655S9700
    • 



Applicable component levels


    

  • R700  PSY  UI50312
       UP17/09/19  P  F709
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.2","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.2","Edition":"","Line of Business":{"code":"","label":""}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            02 October 2017
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback